Readers spoke with Darren Mar-Elia about Group Policy Troubleshooting on February 24, 2005. Below is a transcript of the chat:

2005-02-24 11:50: Adam Carheden said "Greetings Everyone. We will be starting in a few minutes.
2005-02-24 11:51: Adam Carheden said "Please feel free to ask questions at any time. The topic is Group Policy Troubleshooting.
2005-02-24 12:00: admin said "Greetings everyone. Darren is with us and we'll be starting shortly. Free free to ask questions at any time.
2005-02-24 12:03: tconnell said "Hi everyone. Question: If you configure a user based group policy and apply it to an OU with computers in it, does everyone hat logs into that PC get the user based policy?
2005-02-24 12:03: mikepiet said "Darren, I have been researching group policy tatooing. Can you please elaborate as to when it happens and how to avoid it.
2005-02-24 12:06: Adam Carheden said "Hi everyone. Question: If you configure a ser based group policy and apply it to an OU with computers in it, does veryone that logs into that PC get the user based policy?
2005-02-24 12:06: Adam Carheden said "Darren, I have been researching group olicy tatooing. Can you please elaborate as to when it happens and how to avoid t.
2005-02-24 12:06: tconnell said "What does that mean whisper?
2005-02-24 12:07: admin said "Thank you everyone for joining. Darren is having some rouble with his machine, but will be back to answer the questions that have een asked in a minute.
2005-02-24 12:08: admin said "If you've asked a question, please restate it in case e loose them in the process
2005-02-24 12:08: admin said "Darren will be back momentarily
2005-02-24 12:10: admin said "Wisper allows you to speak to only one erson
2005-02-24 12:11: admin said "There were two questions that we seem to have lost ue to some technical isses. If you've asked a question, please type it in again nd we'll get them answered
2005-02-24 12:11: tconnell said "Question: If you configure a user based group olicy and apply it to an OU with computers in it, does everyone that logs into hat PC get the group policy? Question: Are there some Computer based group olicy settings that take effect even though they are applied to an OU with sers in it?
2005-02-24 12:12: Adam Carheden said "Question: If you configure a user based roup policy and apply it to an OU with computers in it, does everyone that logs nto that PC get the group policy? Question: Are there some Computer based group olicy settings that take effect even though they are applied to an OU with sers in it?
2005-02-24 12:13: Darren Mar-Elia said "tconnell: the answer to your question is hat user policy only applies to user objects and computer policy to computer bjects. The only way a user policy would apply based on the computer that a ser logs onto would be if you use loopback policy
2005-02-24 12:14: Michael Pietrzak said "Darren, I have been looking at some group olicy ""Tattooing"". Can you please elaborate on when it happens and why?
2005-02-24 12:14: Adam Carheden said "Darren, I have been looking at some group olicy ""Tattooing"". Can you please elaborate on when it happens and why?
2005-02-24 12:15: jsclmedave said "Have the tech problems been fixed?
2005-02-24 12:16: Michael Pietrzak said "Did my last question get through admin?
2005-02-24 12:16: admin said "We have resolved the technical issues and Darren is ack answering questions.
2005-02-24 12:17: Darren Mar-Elia said "Tattooing occurs when you have registry olicy that is made against values that don't fall under the 4 special keys that indows manages. Normally if you set a policy under those 4 keys, each time egistry policy is processed, all values under those keys are removed and then e-applied. This ensures that any policies that were removed from a GPO get emoved from the computer or user where they were held. Tattooing occurs when ou make a reg change outside of these 4 keys, and then remove that olicy--because those outside values are not removed during normal policy rocessing
2005-02-24 12:17: admin said "If you logged out and logged back in, you can read he entire chat transcript by clicking the clipboard icon just below the chat indow
2005-02-24 12:18: tconnell said "I saw an article on your site about adding emplates for other MS products. If I add the templates for Office 2K, should I dd them to the computer or user section of a GPO?
2005-02-24 12:19: Darren Mar-Elia said "Just an FYI, I have a site that I aintain on GP--at www.gpoguy.com
2005-02-24 12:19: Adam Carheden said "I saw an article on your site about dding templates for other MS products. If I add the templates for Office 2K, hould I add them to the computer or user section of a GPO?
2005-02-24 12:19: Darren Mar-Elia said "It actually doesn't matter whether you add hem on the computer or user side. If the templates contain user policies they ill show up and there and the same for computer policies.
2005-02-24 12:20: admin said "To anyone who just entered or returned, Darren Mar-Elia is answering Group Policy questions. To see the entire chat transcript, lick the clipboard icon just below the chat window.
2005-02-24 12:22: Michael Pietrzak said "Darren, for the policy...:always wait for etwork at computer startup and logon=enabled, where is the best place to apply hat gp at? Domain level or at each OU
2005-02-24 12:23: Darren Mar-Elia said "Have people been using SP2 irewall aggressively in their environment and if so, are you using GP to onfigure it? Is that working well?
2005-02-24 12:23: admin said "To anyone who just entered or returned, Darren Mar-Elia is answering Group Policy Questions. To see the entire chat, click the lipboard icon just below the chat window.
2005-02-24 12:23: Adam Carheden said "Darren, for the policy...:always wait for etwork at computer startup and logon=enabled, where is the best place to apply hat gp at? Domain level or at each OU
2005-02-24 12:23: jsclmedave said "Two Point Question: 1) Still looking for a way o disable HTTP and Rich Text via GP and Outlook 2003 on a 2003 server. Email is onverted to plain text upon receipt but users can still select dropdown box and elect HTTP or Rich Text for reply, as well as initial email they are sending. ) Turning off Active hyper links in email messages, I do not want users to have he ability to click on any links they receive via email.
2005-02-24 12:23: Darren Mar-Elia said "Have people been using SP2 Firewall in heir environments and if so, are you using GP to configure it? How is that orking?
2005-02-24 12:24: Adam Carheden said "Two Point Question: 1) Still looking for way to disable HTTP and Rich Text via GP and Outlook 2003 on a 2003 server. mail is converted to plain text upon receipt but users can still select ropdown box and select HTTP or Rich Text for reply, as well as initial email hey are sending. 2) Turning off Active hyper links in email messages, I do not ant users to have the ability to click on any links they receive via email.
2005-02-24 12:25: Darren Mar-Elia said "To me that is a universal policy--I would pply it at the domain level. I can't think of any reason why you wouldn't apply t everywhere unless you really want fast logon optimization for certain users.
2005-02-24 12:25: Michael Pietrzak said "We are using SP2 just fine at my work. onfiguration via group policy is working great. No problems thus far.
2005-02-24 12:25: Adam Carheden said "We are using SP2 just fine at my work. onfiguration via group policy is working great. No problems thus far.
2005-02-24 12:25: Michael Pietrzak said "Thanks for that answer!
2005-02-24 12:25: Adam Carheden said "Thanks for that answer!
2005-02-24 12:26: timsw All of my Windows PC's are at SP2 and can I modify he GPO to open or close ports. My AV needs certain ports opened, but I'm not hrilled with having to modify everyone PC indivivally.
2005-02-24 12:26: Darren Mar-Elia said "Yes, I don't believe these are exposed in he Office 2003 ADM templates, unfortunately. There are some third parties, like he Autoprof (now Desktop Standard) that may expose that in their Office policy xtensions.
2005-02-24 12:27: Darren Mar-Elia said "Thanks for that--anyone started working ith the Server 2003, SP1 firewall? Similar to XP's but for the server.
2005-02-24 12:27: Adam Carheden said "All of my Windows PC's are at SP2 and can modify the GPO to open or close ports. My AV needs certain ports opened, but 'm not thrilled with having to modify everyone PC indivivally.
2005-02-24 12:27: jsclmedave said "FYI, It works fine with Zone Alarm as well.
2005-02-24 12:28: Darren Mar-Elia said "Yes, you can use GP to configure port xceptions on the Windows Firewall. Its under Computer Configuration\Admin emplates\Network\Nework Connections\Windows Firewall
2005-02-24 12:28: Adam Carheden said "FYI, It works fine with Zone Alarm as ell.
2005-02-24 12:29: Michael Pietrzak said "Yup, similar results. No problems. Very ice and easy to use. Are there going to be more ADM's with Server 2003 SP1?
2005-02-24 12:29: Darren Mar-Elia said "Can you elaborate? What works fine with one Alarm? Thanks!
2005-02-24 12:29: Adam Carheden said "Yup, similar results. No problems. Very ice and easy to use. Are there going to be more ADM's with Server 2003 SP1?
2005-02-24 12:30: Darren Mar-Elia said "The ADMs in Server 2003, SP1 are pretty imilar to XP, with some minor exceptions.
2005-02-24 12:31: Michael Pietrzak said "ugh, still no way to exclude my music in older redirection, bummer
2005-02-24 12:31: Adam Carheden said "ugh, still no way to exclude my music in older redirection, bummer
2005-02-24 12:32: Darren Mar-Elia said "No, unfortunately not. I recently heard hat that will be addressed in Longhorn--not much help now. Maybe a good 3rd arty idea though.
2005-02-24 12:33: jsclmedave said "Having the XP firewall enabled with Zone Alarm orks fine. I use this on my home PC without any issues.
2005-02-24 12:33: acarl said "Darren, do you use anything for change management ith group policy. Is there a good manual process for this or would you ecommend third party tools?
2005-02-24 12:34: Adam Carheden said "Having the XP firewall enabled with Zone larm works fine. I use this on my home PC without any issues.
2005-02-24 12:34: Adam Carheden said "Darren, do you use anything for change anagement with group policy. Is there a good manual process for this or would ou recommend third party tools?
2005-02-24 12:34: Darren Mar-Elia said "In case anyone is interested, Microsoft as a tool on their download site called GPInventory--basically what it does is et you centrally collect RSoP reports from lots of systems.
2005-02-24 12:34: Darren Mar-Elia said "Ah, good to know. I think a lot of folks ave this configuration.
2005-02-24 12:34: Michael Pietrzak said "With custom ADM's, is it best practice to lace those in the sysvol share before you create a GP out of them?
2005-02-24 12:35: Adam Carheden said "With custom ADM's, is it best practice to lace those in the sysvol share before you create a GP out of them?
2005-02-24 12:35: Darren Mar-Elia said "From a manual perspective, the closest you an get is GPMC--you can use it to back up GPOs prior to change and then restore hem afterwards if you need to. From a 3rd party perspective, the two I know bout are NetIQ's GP Administrator and Quest's GP Manager
2005-02-24 12:36: jsclmedave said "For what its worth, IBM is going to this setup, A, for all of their internal developer boxs.
2005-02-24 12:36: Adam Carheden said "For what its worth, IBM is going to this etup, ZA, for all of their internal developer boxs.
2005-02-24 12:36: Eroth said "Do you know of an automated way to back up GPO's - ither via GPMC or another (native OS) method?
2005-02-24 12:36: Michael Pietrzak said "For acarl, I like all the apps from etpro.com and from script logic, active administrator is nice as well
2005-02-24 12:37: Darren Mar-Elia said "I don't like to manually put ADMs in the YSVOL share--I think its best to let the GP editor handle this. So, when you reate a GPO, the process of adding the ADM from the GP editor will copy the ADM ile up to SYSVOL. That's the cleanest way to do it. Also, you can actually onfigure Windows to not store any ADMs in SYSVOL--but it currently requires hat you edit all your GPOs from a Server 2003 box--probably not a great option or everyone.
2005-02-24 12:37: Adam Carheden said "Do you know of an automated way to back p GPO's - either via GPMC or another (native OS) method?
2005-02-24 12:37: Darren Mar-Elia said "good info.
2005-02-24 12:38: Darren Mar-Elia said "The best way to do this is to use the cripting interfaces in GPMC in conjunction with Task Scheduler. You can chedule backups this way pretty easily.
2005-02-24 12:39: Michael Pietrzak said "follow up- So keep my custom ADMs on my ocal machine in the inf dir and they will be copied up automatically, Wasn't ure about this
2005-02-24 12:39: Darren Mar-Elia said "BTW, GPMC includes a couple of re-canned scripts for backing up one or all GPOs
2005-02-24 12:39: Adam Carheden said "follow up- So keep my custom ADMs on my ocal machine in the inf dir and they will be copied up automatically, Wasn't ure about this
2005-02-24 12:40: jsclmedave said "Do any of the Microsoft Updates affect ADMs that ou have in place? Meaning, should yo back those up prior to Updating your ervers in the event they are over written?
2005-02-24 12:40: Adam Carheden said "Do any of the Microsoft Updates affect DMs that you have in place? Meaning, should yo back those up prior to Updating our servers in the event they are over written?
2005-02-24 12:40: Darren Mar-Elia said "Yes, when you're in the GP editor and you ay Add/Remove Templates, after adding it, it gets copied up to the GPT portion f the GPO in SYSVOL. HOwever in general ADM management is a big challenge for olks, esp. if you have multiple GP admins managing multiple ADMs.
2005-02-24 12:41: Darren Mar-Elia said "MS definitely updates the default ADMs when hey issue a service pack. Fortunately, they have also started keeping prior ersions' ADMs on the MS download site--I have a link to it on my web site. owever, I think its always a good idea to back them up yourself prior to doing n OS update like a Service Pack.
2005-02-24 12:42: Michael Pietrzak said "From one of your past articles, I remeber eading that GP's wont be refreshed (or reapplied) unless soemthing has changed. hat was the policy again that prevents this behavior?
2005-02-24 12:43: Adam Carheden said "From one of your past articles, I remeber eading that GP's wont be refreshed (or reapplied) unless soemthing has changed. hat was the policy again that prevents this behavior?
2005-02-24 12:43: Eroth said "I have a lot of remote users and I see inconsistent pplication of Group Policy over our VPN solution. Can you recommend any ettings to make policy application smoother and more consistent for ntermittently, and some poorly-connected users?
2005-02-24 12:43: Adam Carheden said "I have a lot of remote users and I see nconsistent application of Group Policy over our VPN solution. Can you ecommend any settings to make policy application smoother and more consistent or intermittently, and some poorly-connected users?
2005-02-24 12:44: Darren Mar-Elia said "Yes, that is true (all except for security olicy, which will refresh even if there has not been a change every 16 hours). ou can override this behavior on a per-CSE basis by modify the policy rocessing settings under Computer Configuration|Admin Templates|System|Group olicy. Keep in mind though that forcing a refresh during every foreground and ackground processing cycle can result in increased GP processing time.
2005-02-24 12:46: Michael Pietrzak said "Great, thanks!
2005-02-24 12:46: Darren Mar-Elia said "Frankly, WIndows does a lousy job of policy rocessing in these kinds of remote scenarios. Its a specific area that MS is ddressing in Longhorn, I believe. However, in some cases it results from a slow ink being detected, which can alter the default processing behavior for certain olicy areas. If there is a specific policy area that you need to force even ver a slow link, you can modify this behavior under computer onfiguration|Admin templates|System|Group Policy. Outside of that, I haven't ound any better solution for these.
2005-02-24 12:47: jsclmedave said "If there is a GP setting made in a specific OU o both a user and thier PC. Then that user and PC is moved to another OU where hose settings are not configured things can get a little weird. Is the fix for his to enable the setting, gpupdate /force, then select the settings you want nd repeat above?
2005-02-24 12:48: Darren Mar-Elia said "Just in case anyone is interested. ere's a tip on how you can launch GP editor against a domain GPO from the ommand line. The following syntax lets you do it: gpedit.msc gpobject:?LDAP://CN=\{31B2F340-016D-11D2-945F-00C04FB984F9\},CN=Policies,CN=System,DC=test,DC=com here the DN is the GUID of the GPO.
2005-02-24 12:49: Michael Pietrzak said "So that would be a short cut if you didn't ave the admin tools or gpmc installed?
2005-02-24 12:49: Darren Mar-Elia said "jsclmedave--not sure I follow. If you ove the user and computer their previous policy settings no longer apply but ou want them to? In that case, you might need to link that GPO to their new U.
2005-02-24 12:49: Adam Carheden said "So that would be a short cut if you idn't have the admin tools or gpmc installed?
2005-02-24 12:49: Eroth said "Thanks, Darren. I'm glad to hear that I'm not just eing a dunce about it :)
2005-02-24 12:50: Darren Mar-Elia said "Correct--you can do that outside of AD sers or Computers or GPMC. Its much faster than having to launch those tools to et to GP editor if you know exactly which GPO you want to edit
2005-02-24 12:51: Darren Mar-Elia said "Ed--no definitely not you.
2005-02-24 12:51: acarl said "How about folder redirection vs. Roaming Profiles. hat are the benefits/drawbacks of each?
2005-02-24 12:51: Adam Carheden said "How about folder redirection vs. Roaming rofiles. What are the benefits/drawbacks of each?
2005-02-24 12:51: jsclmedave said "The GP settings could not be turned off... I ocked a couple PCs from being able to change their desktop settings even though he setting in the current OU was Not Enabled.
2005-02-24 12:52: Darren Mar-Elia said "They are complimentary technologies. Folder edirection lets you reduce the amount of data that has to roam with the user ho has roaming profiles, by redirecting, for example, My Documents to a fixed erver share. If you weren't redirecting that data, then each new PC that the ser logs onto--they would have to download the contents of MY documents to that ocal user profile cache.
2005-02-24 12:53: Darren Mar-Elia said "Roaming profiles can be problematic owever--I only recommend using them if you truly have users that need to roam cross PCs.
2005-02-24 12:53: Michael Pietrzak said "Will a custom ADM put or write the egistry entries in (that they are set to modify) if they are not there to begin ith or does the registry key need to be there?
2005-02-24 12:53: Darren Mar-Elia said "Otherwise, I would just stick to Folder edirection, which has the added benefit of putting user data on servers that an be more easily backed up.
2005-02-24 12:54: Adam Carheden said "The GP settings could not be turned ff... I locked a couple PCs from being able to change their desktop settings ven though the setting in the current OU was Not Enabled.
2005-02-24 12:54: Adam Carheden said "Will a custom ADM put or write the egistry entries in (that they are set to modify) if they are not there to begin ith or does the registry key need to be there?
2005-02-24 12:55: Darren Mar-Elia said "Ok. In that case, it sounds like some attooing was happening even though it should not have been. In that case, doing gpupdate /force or even just having the user logoff and back on should fix the roblem. IF it does not, I would fire up userenv logging because something ounds like its not working as expected.
2005-02-24 12:56: Darren Mar-Elia said "The registry key does not need to be there irst--it will get created by the adm file.
2005-02-24 12:56: Michael Pietrzak said "Thanks, that one was puszzling to me
2005-02-24 12:57: Darren Mar-Elia said "Yep. MS has a great whitepaper on their ite about writing ADMs. I have a link to it on my site, on the Resources page.
2005-02-24 12:59: Michael Pietrzak said "In regards to the my music being edirected via folder redirection, can a Gp be created to restrict the ability o write to that directory path? Right now I only use Gp's to alter perms on ntire volumes, not an imbedded folder....Thanks, I will look at that WP after.
2005-02-24 13:00: acarl said "Can I manage things other than registry settings with roup Policy? Specifically, I want to manage Firefox settings which are stored n a config file.
2005-02-24 13:01: Darren Mar-Elia said "If you're talking about using file ystem security policy, then no, that won't work, mostly because that policy is omputer-specific and you would need it to process a user-specific file path. lso file security policy is pretty expensive, from a processing perspective.
2005-02-24 13:02: Darren Mar-Elia said "I've heard the question about managing irefox configs. I don't think there is anything out of the box to do this, but ou could probably script something and then deliver that as either a startup or ogon script. There are 3rd party extensions that allow editing of text files hrough policy, but not sure how flexible they are to allow editing of a Firefox onfig file. However, its an interesting question and I will look into it and ost something on my site if I find a good answer.
2005-02-24 13:02: Michael Pietrzak said "Gotcha, thanks again. To acarl, the ozilla people told me that they are working on Gp integration. They said for ow the only way would be to use Gp to distribute that file via logon script.
2005-02-24 13:03: Michael Pietrzak said "For now they do offer a firefox.msi that an be used to install FF via gp's
2005-02-24 13:04: Darren Mar-Elia said "Thanks Michael! Great info.
2005-02-24 13:05: Adam Carheden said "Thank you to everyone for joining the hat. We're approaching the hour, so I'd like to wrap it up. If you have any inal questions for Darren Mar-Elia, please ask them now.
2005-02-24 13:06: Michael Pietrzak said "Thanks for all your help Darren, see you inasi.com and gptalk!
2005-02-24 13:06: Darren Mar-Elia said "Thanks for joining today everyone. I ope it was useful
2005-02-24 13:07: jsclmedave said "Ditto!
2005-02-24 13:07: Eroth said "Thanks, Darren and Adam
2005-02-24 13:08: Barb Gibbens said "Thanks for doing this chat, Darren!
2005-02-24 13:09: Darren Mar-Elia said "Thanks. It was fun!
2005-02-24 13:11: admin said "Thank You Everyone, the room is now closing.